Privacy Matters: Protect Your Patients When They Point and Click
As hospitals and providers increasingly connect with their patients through technology and turn to mobile health apps to help manage patient care, it can be difficult to determine what federal laws, if any, may apply to the collection of health information through such apps. In some cases, app developers function as business associates of providers or hospitals, and the app developer is therefore subject to HIPAA’s privacy and security rules. In others, however, a provider may offer an app to patients, but the app developer is not acting as a business associate to the provider. A gray area results, in which patients may disclose health information in an app, but that information is not protected by HIPAA (the Office of Civil Rights has provided helpful guidance on this issue, available here, as has the Federal Trade Commission, available here).
Just because HIPAA may not be relevant to certain mobile health apps, does not mean that health care providers are off the hook in terms of protecting patient information. When HIPAA does not apply, a host of other laws could, including:
- The FTC ACT, Section 5 – this section generally prohibits unfair or deceptive acts, and gives the FTC broad enforcement power with respect to company actions.
- The FTC Health Breach Notification Rule – this rule requires organizations not covered by HIPAA to notify consumers if there’s a breach of unsecured, individually identifiable electronic health information.
- State consumer protection and data privacy laws – nonprofits, typically outside the jurisdiction of the FTC, should take note of state laws that may apply to them.
A recent FTC action involving the computer company Lenovo offers a cautionary tale for hospitals and health systems as they engage vendors in the digital health space in contexts that may not implicate HIPAA. Lenovo settled with the FTC and 32 state attorneys general for allegedly overlooking a security flaw in partner software pre-loaded on its computers, potentially exposing the personal data of hundreds of thousands of consumers. While Lenovo argued that its vendor should have been held responsible for the security flaw, the FTC looked to Lenovo as the responsible party because they had the relationship with consumers.
As the Lenovo case demonstrates, the party with the consumer relationship increasingly bears responsibility for its vendors’ actions. This places the onus on the provider – the party with the patient relationship – to reasonably ensure that app developers adequately protect any patient information entered into an app, regardless of whether the app developer is acting as a business associate.
The takeaway: A comprehensive vendor management policy should be a key component within your security architecture. Each health system’s policy will differ based on its scope and the types of third-party partnerships and technologies it engages, but following some general guidelines, and designating a point person on vendor relationships, is a good place to start. In addition, your vendor due diligence should include an assessment of which laws apply to the partnership. If HIPAA does not apply, entities should still work to ensure that the vendor will adequately protect patient information since, as the Lenovo case illustrates, you could be liable if they do not.